Description
This article describes how to alter the default login-attempt-limit and login-block-time for SSL VPN users.
Scope
FortiGate.
Solution
The default login-attempt-limit for SSL VPN users is 2 and the login-block-time is 60 seconds.
This indicates if user enters incorrect username/password combinations continuously twice, the firewall will block attempts and prompt with message as 'Too many bad attempts. Please try again in few minutes'.
Now, the user has to wait for 60 seconds to try to login again.
To increase or alter the value, configure the desired values using the CLI as below.
The above config will help in preventing brute force attacks through SSL VPN.
To view the block listed IP address, use the CLI command:
diagnose vpn ssl blocklist list
Note: The command is available starting FortiOS versions 7.2.6 and above, 7.4.1 and above.
Sample output:
Status: locked – indicates that user has reached maximum failed login-attempt.
pending – indicates that user login attempts are lesser than the configured login-attempt-limit.
To delete an entry from the SSL VPN blocklist, use the CLI command :
diagnose vpn ssl blocklist del <all|vfid|addr>
Sample output :
To view the total number to users with failed login attempts, use the CLI command :
diagnose vpn ssl blocklist count
This method does not apply to SAML user groups. SAML user groups use an Azure application, FortiAuthenticator, or other IDP authentication not in the FortiGate. The FortiGate cannot count each incorrect username/password entry.
Related article:
Technical Tip: How to unblock IP addresses from the SSL VPN blocklist
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.